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Abstract 

In this paper we consider quantum interactive proof systems, i.e., interactive proof systems in 
which the prover and verifier may perform quantum computations and exchange quantum messages. 
It is proved that every language in PSPACE has a quantum interactive proof system that requires 
only two rounds of communication between the prover and verifier, while having exponentially small 
(one-sided) probability of error. It follows that quantum interactive proof systems are strictly more 
powerful than classical interactive proof systems in the constant-round case unless the polynomial 
time hierarchy collapses to the second level. 
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^ ■ 1 Introduction 

7— I ! 

A number of recent papers have provided compelling evidence (and proof, in some cases) that certain 
computational, cryptographic, and information-theoretic tasks can be performed more efficiently by 
models based on quantum physics than those based on classical physics. For example, Shor [^] has 
ON ' shown that integers can be factored in expected polynomial time by quantum computers, a quantum 



key distribution protocol of Bennett and Brassard |10[ that does not rely on intractability assumptions 



has been proven secure under a wide variety of attacks [^, 25, 26], and Buhrman, Cleve, and Wigderson 



1 13 1 have shown various separation results between quantum and classical two-party communication 
^ ■ complexity models. In this paper we introduce the quantum analogue of another concept — interactive 
proof systems — and provide strong evidence that additional power is gained by interactive proof sys- 
tems in the quantum setting. 

Interactive proof systems were introduced by Goldwasser, Micali, and Rackoff 22] and Babai 



J||. Informally, in an interactive proof system a computationally unbounded prover interacts with a 
polynomial-time probabilistic verifier and attempts to convince the verifier to accept a given input 
string. A language L is said to have an interactive proof system if there exists a verifier V such that 
(i) there exists a prover P (called an honest prover) that can always convince V to accept when the 
given input is in L, and (ii) no prover P' can convince V to accept with nonnegligable probability 
when the input is not in L. The class of languages having interactive proof systems is denoted IP. 
Based on the work of Lund, Fortnow, Karloff, and Nisan [24], Shamir [27| proved that every 



language in PSPACE has an interactive proof system. Since any language having an interactive proof 



system is in PSPACE [20], this implies IP = PSPACE. All known protocols for PSPACE require 



a nonconstant number of rounds of communication between the prover and verifier, and cannot be 



parallelized to require only a constant number of rounds under the assumption that the polynomial 
time hierarchy is proper. This is because the class of languages having constant-round interactive 
proof systems is equivalent to the class AM ||], 23], and hence is contained in IT^. 



The main result we prove in this paper is as follows. 

Theorem 1 Every language in PSPACE has a 2-round quantum interactive proof system with expo- 
nentially small probability of error. 

This result contrasts with the facts mentioned above regarding classical interactive proof systems, 
as it shows there are languages having 2-round quantum interactive proof systems that do not have 
constant-round classical interactive proof systems unless AM = PSPACE. 

We now summarize informally our technique for proving Theorem |]. Consider the following (unsuc- 
cessful) method for trying to reduce the number of rounds required by a nonconstant-round protocol 
for PSPACE to a constant: define the verifier so that it chooses all of its random numbers initially, 
sends them all to the prover in one round (or in a constant number of rounds), receives all the re- 
sponses from the prover, and checks the validity of the responses. This will not work, since the prover 
may cheat by "looking ahead" and basing its responses on random numbers that would have been sent 
in later rounds in the nonconstant-round case. However, using interactive proofs based on quantum 
physics, this technique can be made to work, as the aforementioned behavior on the part of the prover 
can be detected by a quantum verifier. We now sketch the method for doing this — a formal description 
of the protocol appears in Section ||[ 

The prover first sends a superposition of sequences of random numbers and corresponding responses 
to the verifier, and the verifier checks that the responses are valid according to a classical protocol 
for PSPACE. (It will be shown that the prover cannot cheat by giving the verifier a superposition 
that is biased towards certain random sequences — the verifier will be able to later check that the 
superposition is close to uniform.) The verifier then chooses randomly one of the positions in the list 
of random numbers and responses, sends back to the prover its responses starting at this position in 
the list and challenges the prover to invert the computation it performed to obtain these responses. 
Let us say that the random numbers and responses up to the chosen position in the list have low- 
index, and the remaining random numbers and responses have high-index. The low-index responses, 
which were not sent back to the prover in the second round, should now depend only on the low- 
index random numbers (for otherwise the prover has cheated). The verifier may now check that 
the superposition of high-index random numbers is uniform by performing an appropriately defined 
measurement. However, if the prover has cheated by basing its low-index responses on high-index 
random numbers, the low-index responses and high-index random numbers will be entangled in a 
manner detectable by the verifier; with high probability, the high-index random numbers will fail 
the uniformity test. By performing this process itself in parallel a polynomial number of times, the 
probability a cheating prover escapes detection is made exponentially small, while the protocol still 
requires only two rounds of communication. 

The remainder of the paper has the following organization. In Section [| we formally define quan- 
tum interactive proof systems. In Section || we prove Theorem [l] by presenting a 2-round quantum 
interactive proof system for the quantified Boolean formula problem and proving its correctness. We 
conclude with Section which mentions a number of open problems regarding quantum interactive 
proofs. 
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2 Definition of quantum interactive proof systems 



We now give a formal definition of quantum interactive proof systems. We restrict our attention to 
constant round quantum interactive proof systems, although the definition is easily extended to a 
nonconstant number of rounds. The model for quantum computation that provides a basis for our 
definition of quantum interactive proof systems is the quantum circuit model. We will not define quan- 
tum circuits or discuss them in detail, as this has been done elsewhere (see Yao [ j3lf l and Berthiaume 



[11 1, for example). 

A fc-round verifier V is a polynomial-time computable mapping V : S* x {0, ... , k} — > E*, where 
each V(x,j) is an encoding of a quantum circuit composed of quantum gates from some appropriately 
chosen universal set of gates. Universal sets of gates/transformations have been investigated in a 
number of papers [jl], [?], || [l6|, 17]; for the purposes of this paper, we will assume only that this set 
includes the Walsh-Hadamard gate and any universal gate for reversible computation such as the 
Fredkin gate or Toffoli gate. Each encoding V(x,j) is identified with the quantum circuit it encodes. 
Since the mapping V is computable in polynomial time, each circuit V(x,j) must be polynomial in 
size. The qubits upon which each V(x,j) acts are assumed to be divided into two groups: message 
qubits and ancilla qubits. The message qubits represent the communication channel between the 
prover and verifier, while the ancilla qubits represent qubits that are private to the verifier. One of 
the verifier's ancilla qubits is specified as the output qubit. 

A &-round prover P is a mapping from S* x {1, ... , k} to the set of all quantum circuits. No 
restrictions are placed on the size of each P(x, j) or on the gates from which these circuits are composed. 
Similar to the case of the verifier, the qubits of the prover are divided into message qubits and ancilla 
qubits. Note that although the prover is all-powerful in a computational sense (there is no bound 
on the complexity of the mapping P or on the size of each P(x,j)), we of course require that the 
prover obey the laws of physics! This is enforced by requiring that the prover's actions correspond to 
quantum circuits. 

Given a pair (P, V), we consider a quantum circuit composed in the manner illustrated in Figure |] 
(the case k = 2 is shown). The probability that a pair (P, V) accepts a given input x is defined to 
be the probability that an observation of the output qubit in the {[0), |1)} basis yields |1) when the 
circuits V(x, 0), P(x, 1), V(x, 1), . . . , P(x, k),V(x, k) are applied in sequence as illustrated, assuming 
all qubits are initially in the |0) state. 

Now, we say that a language L has a fc-round quantum interactive proof system with error proba- 
bility e if there exists a fc-round verifier V such that 

1. There exists a /c-round prover P such that if x £ L then (P, V) accepts x with probability 1. 

2. For all A;-round provers P', if x £ L then (P ; , V) accepts x with probability at most e. 

A few notes regarding the above definition are in order. First, we note that there are a number 
of other ways in which we could have defined quantum interactive proof systems, such as a definition 
based on quantum Turing machines or a definition requiring that each circuit as above be given by 
V(|x|,i) or P(\x\,i), with x supplied as input to each circuit, for example. We have chosen the above 
definition because of its simplicity. Given the apparent robustness of the class of "polynomial-time 
computable quantum transformations," we suspect these definitions to be equivalent, although we have 
not investigated this question in detail. Second, we assume that each circuit corresponds to a unitary 
operator (e.g., no "measurement gates" are used). The action of any general quantum gate (i.e., a 
gate corresponding to a trace-preserving, completely positive linear map on mixed states of qubits) 
can always be simulated by some unitary gate (possibly adding more ancilla qubits) [||. As this will 
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Figure 1: Quantum circuit for a 2-round quantum interactive proof system 

not increase the size of a verifier's circuit by more than a polynomial factor, and will not affect the 
complexity of the mapping V significantly, our definition is equivalent to a definition allowing more 
general quantum gates. 

3 2-round quantum interactive proof systems for the QBF problem 

We begin this section by defining the quantified Boolean formula problem, which is complete for 
PSPACE. A quantified Boolean formula is a formula of the form Qixi ■ ■ ■ Q n x n B(xi, . . . , x n ), where 
each Qi is an existential or universal quantifier (3 or V) and B{x\,... Boolean formula 

(without quantifiers) in the variables xi, ■ ■ ■ ,x n . The quantified Boolean formula (QBF) problem is 
to determine if a quantified Boolean formula is true. 

To prove Theorem [l], it is sufficient to prove that there exists a 2-round quantum interactive proof 
system with exponentially small error for the QBF problem. This is because a verifier (and any honest 
prover) may first compute a polynomial-time reduction from a given problem in PSPACE to the QBF 
problem, then execute the protocol for QBF (adjusting various parameters in the protocol to reduce 
error as necessary). 



3.1 A classical protocol for QBF 

Our 2-round quantum interactive proof system for the QBF problem is based on a variant of the 
Lund-Fortnow-Karloff-Nisan protocol due to Shen |2Sf| , to which the reader is referred for a detailed 
description. In this section we review some facts regarding this protocol that will later be helpful. 
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Let us suppose the input formula Q = Q\X\ ■ ■ ■ Q n x n B(xi, . . . , x n ) is fixed. Also let F be a finite 
field, write N = ("J 1 ) +n, and let d be the length of Q (with a slight modification of the protocol, d = 3 
is sufficient). The protocol is as follows. For j = 1, . . . , N—l, the prover sends the verifier a polynomial 
fj over F of degree at most d, and the verifier chooses rj G F and sends r« to the prover. The prover 
then sends a polynomial to the verifier in the final round, and the verifier chooses r^r G F (there 
is no need for to be sent to the prover). The verifier then evaluates a particular polynomial-time 
predicate E(Q, r%,... , rjy, /i> • • • , /jv) and accepts if and only if the predicate evaluates to true. 

A formal description of E may be derived from the paper of Shen. Since the details of the predicate 
are not necessary for our discussion, we will only state certain properties of E. First, for any sequence 
of random numbers ri, . . . , rjv G F there exist polynomials c±,... ,cn, where each polynomial Cj 
depends only on r\,... , Tj—i, that correspond to the answers that should be given by an honest 
prover. These polynomials, which are well-defined regardless of the Boolean value of Q, satisfy the 
following properties: 

1. If Q evaluates to true, then for all sequences n, . . . , r^r, E(Q, n, . . . , rjy, ci, . . . , cat) = true. 

2. If Q evaluates to false, then for all sequences r±, . . . , rjv, E(Q, n, . . . , rjv, c\, f2, ■ ■ ■ , /n) = false 
for all polynomials /2, • • ■ , /at- 

3. If Q evaluates to false, then for any k G {1, ... , N — 1} and r\, . . . , G F, the following holds. 
If /i , . . . , fk are such that fk / c& , then there are at most d values of for which there exist 
r fc+ i, ... , tat and / fe+2 , ... , /at such that E(Q, r u . . . ,r N ,f 1: ... , f k , c k+1 , f k+2 , ... , /jv) = true. 

4. If Q evaluates to false, then for any r%, . . . , ttv_i and /i, . . . , /at for which /jy 7^ cat, there are at 
most <i values of r^r for which E(Q, r\, ■ ■ ■ , rjy, /1, . . . , /at) = true. 

For given ri, . . . , r k _i, we call the polynomial c k the correct polynomial corresponding to r%, . . . , r k _\. 

Clearly, if Q evaluates to true, an honest prover can always convince the verifier to accept by sending 
the correct polynomials c±, . . . ,cn corresponding to the verifiers random numbers ri, . . . , rjv— i- 

Now suppose that Q evaluates to false. By item 2, a cheating prover cannot send the correct 
polynomial c\ on the first round, for the prover rejects with certainty in this case. Hence the prover 
must send /1 7^ c\ if the verifier is to accept. Now suppose for k G {1, . . . , iV — 1} and r±, . . . , r k -\ the 
prover has sent polynomials /1 7^ ci, . . . , f k 7^ c k during rounds 1, . . . , k. Unless the verifier randomly 
chooses one of d particular values for r k , the prover may not send c k +i on the next round without 
causing the verifier to reject. Hence, if the prover sends an incorrect polynomial on round k, then with 
probability at least 1 — d/\¥\ it must send an incorrect polynomial on round fc + 1. Finally, if the prover 
does not send the correct polynomial cn during the last round, the verifier accepts with probability 
at most c£/|F|. Hence, the total probability that the verifier accepts may not exceed (dN)/\F\. 

Since the error probability of the protocol depends on the size of F, F may be chosen sufficiently 
large at the start of the protocol. It will be convenient for us to take F to be the field with 2 k ele- 
ments for k polynomial in n (hence yielding exponentially small probability of error). For any chosen 
k, the verifier (and honest prover) may use a deterministic procedure to implement arithmetic in 
F — specifically, compute an irreducible polynomial g of degree k over GF(2) in deterministic polyno- 



mial time [30], identify elements of F with polynomials over GF{2) of degree at most k — 1, and take 
arithmetic to be the usual arithmetic on polynomials modulo g. There is thus a natural correspondence 
between k bit strings and elements of F. 
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3.2 Quantum verifier's protocol for QBF 



We now describe the verifier's protocol for our 2-round quantum interactive proof system for the QBF 
problem. 

We use the following conventions when describing the quantum circuits corresponding to the veri- 
fier's actions. Collections of qubits upon which various transformations are performed are referred to 
as registers, and are labeled by capital letters in boldface. The registers required by the protocol are 
Rjj, Sij, and Fj,- for 1 < i < m and 1 < j < N, where N is as in the classical protocol described 



in Section 3.1 and m is some polynomial in n specified depending on the desired error as described 
below. Each register Rj and S$ consists of k qubits, where 2 k is to be the size of the field F. We 



view the classical states of these registers as elements in F in the usual way. Each Fjj consists of 
d + 1 collections of k qubits, for d as in the classical protocol, and we view the classical states of 
these registers as polynomials of degree at most d with coefficients in F. The verifier may also use any 
polynomial number of additional ancilla qubits in order to perform the transformations described. In 
addition, the verifier will store the vector u and any auxiliary variables needed for the protocol — as 
there will be no need for the verifier to perform quantum operations on these values, we consider them 
as being stored classically (although there is no difference in the behavior of the protocol if they are 
thought of as being stored in quantum registers). 

The error probability of the protocol will depend on m and k as described below in Section |3.3| — we 
may take m and k to be fixed polynomials in n to obtain exponentially small error. 

It will be convenient to refer to certain collections of the quantum registers mentioned above; 
for a given vector u £ {1, ••• , N} m we let R^) be the collection of registers R^i,... , Ri, Wi -i for 
i = 1,... ,m, and we let F^") be the collection of registers F^i,... , Fj jUi for i = 1, ... , m. See 
Figure |2] for an example. We also let Rj and Fj denote the vectors (Ri,i, . . . , Rj,jv) and (F^i, . . . , F^n), 
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Figure 2: Example division of R and F for N = 8, 
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5, and u = (6,4,7,2,5). 



respectively. 

The verifier's protocol is described in Figure ||. The check in step 1 refers to the classical protocol 
described in Section |3.1|. Naturally this check is performed by reversibly computing the predicate E 
(described in Section 3J), so as not to alter superpositions of valid pairs (R,F). The transformation 
H® k in step 4 is the Walsh-Hadamard transform applied to each qubit of the register in question, 
where 



F:|0) 



1 



V2 



(|0> + |1» 



and 



H:\l) 



1 



V2 



(|0>-|1» 



as usual. The random choice of the vector u in step 2 can be simulated efficiently with negligible error 
using the Walsh-Hadamard transform appropriately. (Note that this negligible error will not change 
the fact that the protocol has one-sided error.) 
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1. Receive quantum registers R and F from the prover. Reject if (Rj,Fj) contain an invalid proof 
that the input formula Q evaluates to true for any i £ {1, . . . , m}. 

2. Choose u E {1, . . . , N} m uniformly at random and send u and to the prover. 

3. Receive S from the prover and subtract Rj from S,,- for each i,j. 

4. Apply transformation H ® k to each register of RW . If RW now contains only values, then accept, 
otherwise reject. 



Figure 3: Quantum verifier's protocol for the QBF problem. 
3.3 Proof of correctness 

We now prove that the above protocol is correct. First we show that there exists an honest prover P 
such that (P, V) accepts with certainty whenever the input formula Q evaluates to true. 

Given QBF Q and mx N matrix R of elements in F, let C{R) denote the corresponding matrix of 



correct polynomials as defined in Section 3A_. For each i, C(R)i t \, . . . , C{R)i ) N is thus the sequence of 
polynomials the honest prover returns in the classical protocol given random numbers Ri,i, . . . , Ri t N- 
The honest (quantum) prover first prepares superposition 



-kmN/2 



J2\R)\C(R)) 

R 



in registers R and F, adds the contents of each register R$ to Sjj, and sends R and F to the verifier. 
Under the assumption Q is true, each pair (i?j,F,) the verifier receives is a valid pair with respect to 
the classical protocol, so the verifier will not reject in step 1. 

The behavior of the honest prover in the second round is as follows. For each let Tjj be a 
unitary transformation such that 

Tij :\R}\0)^ \R)\C(R) itj ). 

Upon receiving u and F^ in the second round, the prover applies transformation T7- to S together 
with Fjj for each appropriate pair This returns each register of F" to its initial zero value. The 
prover then sends S to the verifier. It may be checked that after subtracting each Rjj from Sij, the 
registers R( u ) will not be entangled with any other registers (as each register of F" depends only on 
those of R(")), and are in a uniform superposition over all possible values. Thus, each register of R(") 
is put into state during step 4, and hence the verifier accepts with certainty. 

Now we show that the verifier accepts with exponentially small probability in case Q is false, 
given any prover. We begin by examining the total state of the prover and verifier as the protocol is 
executed. In step 1 the prover sends registers R and F to the verifier. The state of the system at this 
point may be expressed as 

= ^»(R,F)\R)\FMR,F)}, 
R,F 

where each a(R,F) is a complex number and \£(R,F)) is a normalized vector representing the state 
of the prover's ancilla registers (which may be entangled with R and F in any manner the prover 
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chooses). Since the verifier rejects any pair R, F for which each (Ri,Fi) is not a valid proof that Q 
is true, we may assume \tp) is a superposition over such valid pairs for the purposes of bounding the 
probability that the verifier accepts. 

At this point, let us associate with each register Rjj and each register Fjj a random variable. 
The probabilities with which each random variable takes a particular value is precisely the probability 
that an observation of the associated register yields the given value, assuming that the observation 
takes place while the entire system is in state above. As we have done above for registers, we may 
consider collections of random variables as being single random variables, abbreviated by R^ n \ F^ u \ 
etc. For example, 



Pr[R = R, FW = 



J2<*(R,F)\FM)\t(R,F)) 



We also define a number of events based on these random variables. Recall the definition of C{R) 
from above (i.e., C(R) is the mx N matrix of correct polynomials an honest prover answers for given 
R). For 1 < i < m and 1 < j < JV — 1, define Aij to be the event that does not contain C(R)ij> 
for j' < j and Fj J+ i does contain C(R)i j+i, for R denoting the contents of R. For 1 < i < m, 
define A^n to be the event that Fj,/ does not contain C(R)ij> for every j'. Note that we must have 
PrLA^i U • • • U Ai ; jsr] = 1 for each i, as the verifier surely rejects in step 1 if F^i contains C(R)i t \. 
Finally, for each v £ {1, . . . , N} m define events B v and D v as B v = \J { Ai jVi and D v = f] i Ai tVi . 

In step 2 the verifier chooses u randomly and sends u and F^ M ^ to the prover. The prover applies 
some transformation to its registers (now including F( u )), sends some register S to the verifier, and 
the verifier subtracts the contents of R from S. The state of the system may now be described by 

0(R,u,FM)\R)\FM)\ V (R,u,FM)), 

where each @(R, u, F^) is a complex number and \rj(R, u, F^)) is a normalized vector describing the 
state of the prover's registers as well as register S. 

The verifier now executes step 4. Assuming for now that u is fixed, this results in acceptance with 
probability 



0(R, u, FW)\rW}(0 I H® k | fl littl ) • • • (0 1 H® k | R miU J\F^)\r ] (R, u, F^)) 



2 -ik 



J2p(R,u,f (u) )\v(R,u,fM)) 



where I denotes the number of registers to which H® k was applied, i.e., I = X^2=i( n — u i + !)• By the 
triangle inequality, this probability is at most 



2 ~ lk E E]/3(^,fW; 



(1) 



We now derive an upper bound on (||) by considering the random variables defined above. First, 
we state a definition and prove a lemma regarding this definition that will be useful for this task. 
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Definition 1 For any nonempty, finite set S and mapping f : S — > M + , define 



Os(f) = 




Lemma 1 Let f,g : S —* M + satisfy Yl S £sf( s ) — ^ an< ^ ~l2ses9( s ) — ^> ^ A e anc ^ ^ 

r = |{s e 5|/(s) = 0}|/|5|. T/ien " 



S (A/ + (1 - X)g) < + 
Proof. First note that for any set TCS and function h : T — > M + with X^er — 1> we nave 



ser y ser 

by the Cauchy-Schwarz inequality, and hence ^t(^) < 1- Now define 5' = {s G S\f(s) = 0}. We have 

y/e s (Xf + (l-\)g) = -^EVA/(s) + (l-A) 5 ( S ) 

V l 5 l se s 



^Ev^ + S E VA/W + (1 - AM,) 



ses" 



< V /(1-A)r + V / T 



r. 



Thus 9 s (Xf + (1 - A)s) < 1 - Ar + 2^(1 - A)r(l - r) < 1 - Ar + 2^/1^7 as claimed. 
Now, note that 



Pr 



for each R and i^W; the actions of the prover and verifier are norm-preserving, and hence will not 
affect the probabilities corresponding to each R and F^ u ' . Thus (|l|) may be rewritten 



2- ik E v Pr [ R = R > F(u) = 

rM,FW \r( u ) 

For each pair R( U \F( U \ define a mapping -X^( u ) : ¥ l — ► [0, 1] as follows: 



Pr 



The probability in (0) may be written as 



E [R. (u) = R {U) M U) = 9 Fl (X R(uKF(u) ). 

ft(u) p(u) 



(2) 



(3) 
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) = Pr 




= R (u) 


) = Pr 


Rt«) 





Define Y R ( U ) F (u) : F ; — > [0, 1] and 2T fl ( U ) F ( u ) : F' — > [0, 1] as follows: 

for events 5 U and denned previously. We have 

^F'(%»),fw) = ^!i^R(»),FW + (1 — \t) %R{u),F{ u ) 

for A u = Pr [B u |R( M ) = i?(«),p( u ) = fW]. 

Now consider the values of J?W for which Y R { U ) F (u) (R.M) = 0; we claim the number of such 
values is at least (l — dm2~ k ^ 2 kl for every HM.FW. This may be argued as follows. First, fix values 
for R( u \ FW, and i, and assume event A{ Ui takes place. By the properties of the classical protocol 
discussed in Section 3J., there are at most d values of Ri ;Ui that do not cause the classical protocol to 
reject in this case. Thus, the number of values of for which 



Pr 



R (u) = R (u) R (u) = R (u) } F («) = A . ] _^ 



is at most d2 k ^ l \ Since we have 



i=i 



R 



F («) 



the total number of values of R^ for which Yr(«) ^(«) / is at most dm2 ki ^- l \ 

Now we may apply Lemma [l] to obtain 



< 1-Pr 



R («) = R (u)^ F (u) = F (u) A _ d m2 - fc ) + 2V(im2- fc , 



and hence 

Pr [rW = = F^j f , < 1 - ^[Bu] (l - dm2~ k ^j + 2Vdm2- fc . (4) 

It remains to bound (||), given that u is chosen uniformly from {1, . . . , N} m . Let U denote the 
random variable corresponding to the verifier's choice of u. We bound Pr[F?;y] by conditioning on the 
events D v that describe the exact places where the prover tries to "sneak in" the correct polynomials. 
Specifically, we have 

Pt[B v ] = ^Pr[FyPr[£/ = u] = N~ m ^ Pv[B u \D v ] Pi[D v ] 

u u,v 

= N~ m ^ (N m -(N- l) m ) Pt[D v ] = 1 - (l - > 1 

Thus, the overall probability that the verifier accepts is at most 



-m/N 



1 - ( 1 - e- m ' N ) ( 1 - dm2~ k ] + 2Vdm2- k . 



By initially choosing m and k to be sufficiently fast growing polynomials in the input size \x\ (e.g., 
m = (\x\ + 1)N and k = 2\x\ +6+ [log(dm)]), this probability may be made smaller than 2~l a: l, which 
completes the proof. 
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4 Conclusions and Open Problems 



We have defined in this paper a natural quantum analogue of the notion of an interactive proof system, 
and proved that there exist 2-round quantum interactive proof systems with exponentially small error 
for any PSPACE language. We do not know if constant-round quantum interactive proofs characterize 
PSPACE, or if there are such proof systems for (presumably) larger classes (e.g., does NEXP have 
constant-round quantum interactive proofs?). We have investigated neither the polynomial round case 
nor the /c-round case for k > 2; what languages have such quantum proof systems? 

Several variants on interactive proof systems have been studied, such as multiprover interactive 
proofs P, H), [l4|, 19, 121JI , probabilistically checkable proofs 0, |2l|| , and interactive proof systems having 
verifiers with very limited computing power [15, [Tsifl . How do quantum analogues of these models 
compare with their classical counterparts? 
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